This morning the first of a season of reports on surveillance and information assurance was published. The House of Commons Home Affairs Select Committee report was released to the Sunday Papers at one minute past midnight. The Commons Press Gallery get their copies at 09.00 Monday morning. Meanwhile the Cabinet Office report and recommendations on Information Assurance have been circulating, unpublished for nearly two months.

Download this free guide

Your exclusive guide to CIO Trends #2

Access the collection of our most popular articles for IT leaders to help you get prepare for post-Brexit world, make use of “bimodal” IT strategy and blockchain technology.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Keiran Poynter’s review and recommendations with regard to the lessons from the HMRC disc losses is supposedly due for imminent publication. Sir Edmund Burton’s review and recommendations with regard to the laptop losses from the Ministry of Defence is said to be similarly complete. Meanwhile, the report completed almost a year ago, by the Cabinet Office “independent assessor” on the state of information assurance across Whitehall remains unpublished, save for the summary. In the pipeline is the report by Richard Thomas and Mark Walport. There are more, covering other parts of Government and private sector.

In talking to the press this morning the chairman of the Select Committee referred to the millions of surveillance cameras in the UK. Most are out-of-order, unmanned and/or fail to produce images of evidential quality. Many are useless after sunset, e.g. those supposedly protecting unlit pub carparks. The recordings from those that are working are rarely held securely. Recordings of “courting couples” and other “amusing incidents” are regularly available for exchange or sale.

The debates over data retention, in case required to investigate possible offences, from misleading school selectors as to your main home through conusmer protection to anti-terrorism, are as divorced from reality as thsoe over CCTV.

Those calling for records of communications or transactions to be retained to aid consumer protection or the war against terror rarely know what they may need to know and do not appreciate that stored data becomes inaccessible unless actively managed. And active managment is not only expensive, it reduces security and removes evidential value.

Calls to simply stop collecting, storing or sharing data are not the answer. More people suffer and die because information is not shared when it should have been than because of abuse. A key part of the EURIM agenda is therefore to bring together informations systems and security practitioners to reset the agenda around organising efficient, secure and democratically accountable sharing and surveillance.

The problem is not the hardware or software that so obsesses ICT professionals. It is the probity, morality and competence of the “wetware”, the people who design, build and operate the systems and who enter, retrieve ir analyse the information.

The UK currently spends somewhere over £3 billion a year on electronic security and less than £30 million a year on e-policing, including child protection. The Citizens Advice Bureau and Salvation Army may protect their clients’ data, routinely encrypting all laptops – including those that are not supposed to leave the office – while government departments and Ministry of Defence regularly lose unecrypted systems, including from supposedly secure areas. Discs of data awaiting analysis have even been stolen from supposedly secure forensic facilities.

Society is now critically dependent on on-line systems. The Internet may be resilient in theory but most of access it over networks that have more bottlenecks than a brewery. It was built for ease of use – with attempts to retrofit security. Today most of the western world is on-line: including most of our criminals.

Shortly after Y2K, EURIM set up a group to look at the issues of E-Crime. The tille we chose for our first report was “E-Crime – a new opportunity for partnership”. It has proved to be all too accurate. Criminals have seized the opportunity to create integrated global supply chaiins, from malware production and data theft, thrugh phishing, botnet recruitment, herding and exploitation to netwroks of mules to launder the gains. Meanwhile law enforcement is still at first base, obessing over better intelligence to help justify future budgets.

In parallel, our ability to spy on our on-line neighbours, possible future recruits or business partners, is frightening.

I recently asked a colleague about some-one who had sent an e-mail asking to become involved in a sensitive study. I expected to receive a note of their current job title and organisation. It was easier for my colleague to forward me their Linked-In entry: being a secuirty consultant the peson who had sent the e-mail was not on Facebook.

In my essay for the 50th Anniversary of LEO I predicted that we would pass through a nadir when no-one trusted what they found or received on-line. I would like to think that are close to the bottom of nadir – and that the current crop of reports and recommendations will mark a turning point.

In the meantime, we may already have a surveillance society – but hardly anyone is watching and we do not know if we can trust those who are.

The plans to update the legislation on the Regulation of Investigatory Powers offer a great opportunity to improve the governance and accountability of those who most (but not all) of us would like to be able to trust to watch over us.

Join the conversation

1 comment

Send me notifications when other members comment.

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

More people suffer and die because information is not shared when it should have been than because of abuse.

Philip — could you point us to some evidence for that?

The largest single example is the five thousand or so East Germans who ceased to be monitored when the cancer registry (of those at risk because of they had worked) was deleted after unification. It did not meet wuith data protection requirements. There are allegations, although I have not seen any analyses, that several hundred die of drug inter-actions in the NHS that would not have occurred had their records been shared between the clinicians concerned. The first session of the EURIM Transformational Government dialogues (recording on the EURIM website) was given a very specific example from Milton Keynes where an elderly man died while waiting for services to be joined up so that he could be rehoused. The deletion of the police records, supposedly on ground of data protection, that would have prevented Huntley from working in Soham School is another.